Information Technology

Digital Defense has been acquired by HelpSystems in a bid to improve the firm’s vulnerability management and penetration testing services. 

On Wednesday, HelpSystems said the purchase of Digital Defense will assist “threat-weary” IT teams by providing additional tools and services to improve infrastructure security and risk assessment capabilities. 
The financial terms of the deal were not disclosed. 
Founded in 1999, San Antonio, Texas-based Digital Defense is a cybersecurity firm that provides a Software-as-a-service (SaaS) platform to enterprise clients. The platform includes vulnerability scanning, network asset analysis, and risk score generation to help IT teams focus remediation efforts. 
According to HelpSystems, the SaaS solutions will be integrated into the firm’s existing portfolio “to give organizations end-to-end infrastructure protection.”
The purchase builds upon the acquisition of Core Security assets from SecureAuth in 2019 and Cobalt Strike, a penetration testing company, in 2020. Digital Defense will be joining these groups, combining identity management, pen testing, threat detection, vulnerability scanning, and risk assessment. 
“The addition of Digital Defense offers threat-weary IT teams the capabilities they need to increase infrastructure security on two fronts: via leading-edge vulnerability management technology as well as seasoned pen testing resources to broaden our existing expertise,” commented Kate Bolseth, HelpSystems chief executive.

In other cybersecurity acquisition news this month, Rapid7 purchased Kubernetes security technology provider Alcide for approximately $50 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netlab, the networking security division of Chinese security firm Qihoo 360, said it discovered this week a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet.
Named Matryosh, the botnet is going after Android devices where vendors have left a diagnostics and debugging interface known as Android Debug Bridge enabled and exposed on the internet.
Active on port 5555, this interface has been a known source of problems for Android devices for years, and not only for smartphones but also smart TVs, set-top boxes, and other smart devices running the Android OS.
Over the past few years, malware families like ADB.Miner, Ares, IPStorm, Fbot, and Trinity, have scanned the internet for Android devices where the ADB interface has been left active, connected to vulnerable systems, and downloaded and installed malicious payloads.
According to a report published this week, Netlab said Matryosh is the latest in this long line of ADB-targeting botnets, but one that comes with its own twist.
This uniqueness comes from using the Tor network to hide its command and control servers and the use of a multi-layered process for obtaining the address of this server —hence the botnet’s name, inspired from the classic matryoshka Russian dolls.

Image: Netlab
Netlab researchers, who are usually among the firsts to discover emerging botnets, said the botnet contains several clues to suggest this is the work of the same group which developed the Moobot botnet in 2019 and the LeetHozer botnet in 2020.

Both botnets were essentially built and used for launching DDoS attacks, which also appears to be Matryosh’s primary function, as well.
The Netlab team says they found functions in the code specific to features that will use infected devices to launch DDoS attacks via protocols like TCP, UDP, and ICMP.
Very little that users can do
As it was stated in previous articles about the “ADB issue,” there is very little that end users can do about it.
While smartphone owners can easily turn off their ADB feature using a setting in the OS options, for other types of Android-based devices, such an option is not available on most devices.
Hence, as a result, many systems will remain vulnerable and exposed to abuse for years to come, providing botnets like Matryosh and others with a solid mass of devices they can abuse for crypto-mining, DNS hijacking, or DDoS attacks. More

The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with the myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post last year.
The myGovID and the Australia Post Digital ID are essentially just forms of digital identification that allow a user to access certain online services, such as the government’s online portal myGov.
There has been conversation around extending digital ID to allow the private sector and state government entities to develop their own platform. Eftpos previously flagged its interest and according to the minister in charge of digital transformation, Stuart Robert, PharmacyID is also interested.
“Now I’m building up, on behalf of the government, a federated model, a trusted digital identity framework,” he said on Wednesday.
“We’ll have another Act through the Parliament, this year, all going well, that allows other digital identities to be created, so DigiID from Australia Post, Eftpos is interested, so is Pharmacy for PharmacyID, that the idea of replicating 100 point check-in paper form, like you do now at a bank or a telco, but doing that digitally with absolute and utter assurance, and you can get a PharmacyID and you’ll be able to use that seamlessly for government.”
Appearing before Senate Estimates in November, DTA CDO Peter Alexander said his agency is moving forward with the plan to bring in legislation to allow private entities onboard.
“It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider. So individuals and businesses dealing with the Australian government and national services will be able to make a choice,” he said.

See also: More privacy conscious and not Australia Card 2.0: DTA defends digital identity play
The Trusted Digital Identity Framework sets out the operating model for digital identity. It’s essentially a set of rules that federal government agencies can follow, but they can’t be applied to states and territories, or to the private sector.
This is where legislation will be used.
Robert highlighted there has been a number of impediments to data sharing over the years, saying while they all have meant well, it has prevented the use of data. “For example, I can’t use Medicare data to assist you with a simple inquiry. I can’t use disability data for a disability support payment to help you get on the NDIS,” he said.  
The DTA is also looking to add a digital, biometrically anchored identity, which Alexander previously said would allow users to simply take a photograph of themselves for it to be matched to a passport.
“In time, that will be able to match the other biometrics that are held like driver’s licences, working with vulnerable children — whatever biometric is held,” he said.
With concerns that law enforcement could have access to the data, particularly the biometric “anchoring” the service provides for, Robert said access would be denied in the coming Bill.
“We will bring a Bill to the Parliament that will allow the use of data about a citizen to be used only for service delivery and I’ll specifically deny the use for law enforcement or compliance,” he said. “That way if you tell us once you won’t have to fill in a multiple forms, because we’ll have your data once.”
The minister said 2 million Australians have a myGovID.
RELATED COVERAGE More

Google said today that a quarter of all the zero-day vulnerabilities discovered being exploited in the wild in 2020 could have been avoided if vendors had patched their products correctly.
The company, through its Project Zero security team, said it detected 24 zero-days exploited by attackers in 2020.
Six of these were variations of vulnerabilities disclosed in previous years, where attackers had access to older bug reports so they could study the previous issue and deploy a new exploit version.
“Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” Maddie Stone, a member of the Project Zero team, said today in a blog post.
This included zero-days in Chrome, Firefox, Internet Explorer, Safari, and Windows.

Image: Google Project Zero
Furthermore, three other zero-days discovered and patched in 2020 could have been exploited in a similar fashion.
Stone said that initial patches for three zero-days —impacting Chrome, Internet Explorer, and Windows— required additional fixes.

If a threat actor would have examined the patches, they could have easily created new exploits and re-weaponized the same vulnerability and continue their attacks.

Image: Google Project Zero
Stone, which also presented her findings at the USENIX Enigma virtual security conference this week, said that this situation could have been avoided if vendors had investigated the root cause of the bugs in greater depth and invested more into the patching process.
The Project Zero researcher urged other security experts to take advantage of when a zero-day vulnerability is exposed and analyze it in greater depth.
Stone argued that zero-days provide a window into an attacker’s mind that defenders should take advantage of and try to learn about the entry vectors an attacker is trying to exploit, determine the vulnerability class, and then deploy comprehensive mitigations.
Stone said this was the primordial reason why the Google Project Zero team was founded years ago, namely to “learn from 0-days exploited in-the-wild in order to make 0-day hard.” More

Image: Forward Air
Trucking and freight transportation logistics company Forward Air said a recent ransomware attack left a dent of $7.5 million in its Q4 financial results.

The sum was described as a loss of revenue from its LTL (less-than-load) trucking business and not costs incurred from dealing with the incident.
The losses stemmed “primarily because of the Company’s need to temporarily suspend its electronic data interfaces with its customers,” Forward Air said in SEC documents filed today.
The ransomware incident, which took place on December 15 last year and was identified as an attack with the Hades ransomware, forced the company to take all of its IT systems offline to deal with the intrusion.
According to a report from trucking news site Freight Waves, the incident led to huge disruptions to ForwardAir’s operations as drivers and employees couldn’t access the necessary documents to clear transports through customs.
Albeit Forward Air said it successfully recovered from the attack, today’s SEC filing and the hefty price the company had to pay for it, shows once again why most security researchers have been preaching prevention rather than a cure for the ransomware problem.
The SEC documents filed today make no mention of Forward Air paying the ransom demand or picking it through a cyber insurance policy.

A report released this week by Coveware, a company that handles ransomware payment negotiations, also mentioned that more and more companies are opting not to pay a ransom demand after learning that ransomware gangs don’t always delete any stolen data.
More and more companies are today opting to rebuild from scratch instead.
Nonetheless, despite a dip in observed payments, 2020 was ransomware’s biggest year. A report from blockchain investigations firm Chainalysis estimated that ransomware gangs made at least $350 million from ransom payments in 2020, up 311% from 2019. More

Cisco Meraki and Openpath have teamed up to provide a combined security platform designed for smart cameras and buildings access control. 

On Wednesday, the companies said that by merging Cisco Meraki’s cloud security and smart camera technology together with Openpath’s access control and workplace safety automation portfolio, clients can take advantage of “cloud-first, security technology that can be managed from any location in real-time.”
The Video Management System (VMS) partnership integration of these portfolios links access activity with smart camera systems and an integrated dashboard can be used by security staff to better monitor access in and out of facilities. 
In addition, the cloud-based solution can be managed remotely, including report submission and access, the remote locking and unlocking of doors, and entry input. Multiple sites can be managed under one account. 
Real-time event alerts can be enabled for staff to be made aware of when particular doors are accessed, and a “find and follow” system allows security staff to track the movements of a visitor when security events are triggered. 
“This capability allows for rapid resolution in real-time of security situations and enhances audit and compliance reviews with easy to access and accurate tracking,” the companies say. 
Research facilities at the University of Virginia’s Biocomplexity Institute have signed up to use the new solution.

“It is more important than ever that organizations have flexible and agile platforms that can be quickly adapted to meet the security needs of today and tomorrow,” commented Alex Kazerani, Openpath CEO. “We’re thrilled to partner with Cisco Meraki […] to make the most integrated security platform available for the enterprise and look forward to continuing to build on these innovations to safeguard our joint customers.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image provided to ZDNet by a reader
Microsoft Defender Advanced Threat Protection (ATP), the commercial version of the ubiquitous Defender antivirus and Microsoft’s top enterprise security solution, is currently having a bad day and labeling yesterday’s Google Chrome browser update as a backdoor trojan.

ZDNet Recommends

The detections, as can be seen in a screenshot above shared with ZDNet by one of our readers, are for Google Chrome 88.0.4324.146, the latest version of the Chrome browser, which Google released last night.
As per the screenshot above, but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named “PHP/Funvalget.A.”
The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months.
System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a “false possitive” and not an actual threat.

ATP is triggering on C:Program Files (x86)GoogleChromeApplication88.0.4324.146Localessk.pak
— Dark Defender (@ShadyDefender) February 3, 2021

Hey @msftsecresponse – Seeing lots of Defender ATP alerts this morning on C:Program Files (x86)GoogleChromeApplication88.0.4324.104Localessl.pak detected as PHP/Funvalget.A. Can you confirm this is a false positive? SHA256 in reply.
— W. David Winslow (@wdwinslow) February 3, 2021

Defender detected sl.pak as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Localessl.pakDefender detected chrome.7z as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Installerchrome.7z
— itquartz (@itquartz) February 3, 2021

ZDNet has contacted a Microsoft spokesperson before this article publication, seeking a formal statement on the ATP detections.
Chances are that this is indeed an erroneous detection, but until a formal announcement, administrators are advised to wait before taking other actions.

The free version of the Microsoft Defender antivirus, the one that ships with all recent Windows versions, has not detected the recent Chrome update as malicious, according to multiple ZDNet tests.
Updated at 15:55 ET to add that Microsoft has confirmed that today’s Funvalget detections for Chrome files were false positive detections due to “an automation error.” More

SolarWinds customers are being urged to apply newly released security patches after the discovery of three previously undisclosed severe vulnerabilities which could allow attackers to abuse the enterprise IT administration tools take control of Windows systems.
The disclosure of the two vulnerabilities in SolarWinds Orion and one in SolarWinds Serv-U FTP comes following December’s discovery that SolarWinds had been hacked – likely by a Russian operation – and its software updates compromised in order to distribute malware to 18,000 Orion customers.
The hack was part of a wider campaign against other tech vendors that represents one of the biggest cyber incidents in recent years and it led to cybersecurity researchers at Trustwave to further examine SolarWinds products for further vulnerabilities – and they found three.
The most severe vulnerability (CVE-2021-25275) could allow attackers to exploit a vulnerability in how Orion works with Microsoft Message Queue (MSMQ) to gain access to secured credentials in the backend and gain complete control over the entire Windows sever. This could be used to steal information or add new admin-level users to Orion.
A second vulnerability (CVE-2021-25274) could allow remote, unauthenticated users to run code in a way that allows the complete control of the underlying Windows operating system. This again could lead to unauthorised access to sensitive systems and servers.
The third vulnerability (CVE-2021-25276) related to SolarWinds Serv-U FTP and allows anyone who can login locally– or remotely via RDP – to add an admin account and all the privileges that brings when it comes to access to the network and servers, potentially providing an attacker with access to sensitive information.
“All of these vulnerabilities have the potential of completely compromising the Windows server running valuable software,” Karl Sigler, threat intelligence manager at Trustwave told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“Orion isn’t like an Office suite, it’s used by your network administrator and other people with a lot of privileges and access to valuable data on the network,” Sigler said.
Trustwave disclosed their findings to SolarWinds and security patches have been released to close the vulnerabilities and prevent them being exploited.
“Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed via a fix released on Jan 25, 2021. The vulnerabilities concerning Serv-U 115.2.2 will be addressed via a fix released on Feb 3, 2021,” a SolarWinds spokesperson told ZDNet.
“We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process,” they added.
There’s currently no evidence that cyber attackers have successfully used these vulnerabilities.
“We can never one hundred percent say these haven’t been exploited in the wild – but I think we’ve beaten the bad guys to the punch here. I think we were able to find them before they did and hopefully put patches in place before they learn how to exploit them,” said Sigler.
It’s therefore recommended that organisations have a strategy to apply the security patches required to protect against the three newly disclosed vulnerabilities as soon as possible.

MORE ON CYBERSECURITY More